Wireless sensor networks are increasingly deployed for health monitoring, leading to ubiquitous patient monitoring systems. In these systems, each patient carries a body sensor network (BSN) that enables the monitoring of his vital signs at home, at hospitals, or virtually anywhere. In this context, a patient can be monitored in very different scenarios and with different sets of medical sensor nodes or devices.
Sensor and wireless communication technologies are rapidly evolving and conquering new application areas, such as healthcare. Wireless medical sensors (WMSs) are becoming smaller and more powerful, allowing for ubiquitous usage for a wide range of medical applications, such as chronic disease management. In a typical healthcare setting, a set of WMSs which provide measurements of a variety of parameters, e.g., ECG, SpO2 and blood pressure, forms the user's body sensor network (BSN), allowing for health monitoring, measuring a user's vital signs and forwarding his electronic health information (EHI) to a gateway, such as a mobile phone. The gateway allows the user to directly access and process his EHI, and moreover, transmits it, e.g., to a healthcare service provider, where it is stored and can be accessed or modified by authorized parties, such as medical staff, family, or sport trainers.
The ubiquitous use of BSNs enables health monitoring in users' regular environments, e.g., at home or during training, and thus, improves users' well-being and healthcare quality, yet allows for cost reduction in the healthcare sector. Health monitoring in these diverse situations and locations is carried out by different organizations, such as surgeries, fitness centers, hospitals, or retirement homes by means of medical sensor networks (MSNs). An MSN comprises a large pool of WMSs used to monitor vital signs of a few or many users with disease-specific sensors and algorithms. Thus, MSNs have different operational requirements with respect to their size, capabilities, or field of application. In an MSN, an arbitrary subset of WMSs can be associated with a patient to form his BSN and monitor his state of health in real-time. The user's measured EHI can be processed by the WMSs of the BSN or by a clinical PDA, or can be sent via a gateway to either a local MSN database or back-end healthcare services, e.g., the healthcare service provider, disease management service, personal health record service or the implant monitoring service, for further processing.
Pervasive MSNs are decoupled from each other as they may belong to different organizations. Consequently, WMSs that are from different MSNs might not be interoperable on the hardware and software levels due to technical incompatibilities, or on the organizational level due to different security policies. However, the vision of pervasive healthcare requires all MSN application scenarios to work together and to be connected to back-end services in order to allow users to move across MSNs and to ensure that their health state can be monitored by authorized personnel of different organizations, including hospitals or insurance companies.
The exchange of users' medical data intra- and inter-MSNs leads to privacy and security concerns demanding basic security services, e.g., confidentiality and authentication. These security services must ensure patients' safety and privacy, as required by healthcare alliances such as HITRUST, and must comply with legal directives such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the European directive 95/46 on data protection. In particular, a users' EHI must be protected from end-to-end, that is, from his BSN's WMSs to MSN databases and back-end healthcare services in order to prevent unauthorized parties from accessing their medical data. However, providing privacy in such an environment is challenging due to MSNs features including: (i) inter- and intra-MSNs user mobility; (ii) the resource-constrained nature of WMSs; (iii) the fact that any subset of WMSs of an MSN's WMS pool can form the BSN used to monitor the health state of a user; (iv) and the requirement of unambiguous user and BSN identification in the whole system of pervasive MSNs.
Security and privacy issues have been addressed for both the centralized back-end services and isolated MSN application scenarios. For instance, an XML security infrastructure was introduced to provide access control to EHI in the back-end infrastructure. Security issues for wireless sensor networks in isolated healthcare applications were analyzed. Security requirements and infrastructure for stand-alone clinical information systems have been presented. However, the state-of-the-art lacks the definition of a comprehensive security system where a patient's BSN can be unambiguously identified in the whole system of pervasive MSNs, where WMSs can be associated to a patient's patient area network (PAN) or BSN in a secure and efficient manner, and where end-to-end security can be provided by means of an efficient key distribution approach.
It is a challenge to meet the strict security requirements for medical applications which are legally required by directives such as HIPAA. The safety and privacy of a user's medical data must be ensured from end-to-end, i.e., from the individual sensor nodes to the back-end healthcare services. This is particular challenging due to the features of pervasive medical sensor networks (MSNs) such as: (i) supporting patient intra- and inter-MSN mobility; (ii) taking into account the resource-constrained nature of medical sensors; (iii) forming a user's body sensor network from any subset of a medical sensor network's pool of wireless medical sensors; and (iv) providing unambiguous user and body sensor network identification.
A pervasive healthcare system is applicable to a broad range of healthcare scenarios and combines diverse technologies. On the organizational level, the pervasive healthcare system may be divided into MSNs controlled by different institutions, e.g., hospitals, fitness centers, surgery centers, or home-based. In general, MSNs are distributed, large-scale, ad hoc networks that operate in a stand-alone fashion. MSNs may comprise a large number of WMSs associated with different patients and BSNs. In general, only WMSs associated with the same patient communicate with each other, so that BSNs are disconnected. Both patient and node mobility makes the MSN topology highly dynamic. In the prior art, on the implementation level, WMSs used in different MSNs are not interoperable, and from a technical and security point view as they might not be based on compatible technologies and may belong to different security domains.
In order to make WMSs wearable and to prevent them from burdening a user's daily life, WMSs need to be small and lightweight. As a result of these size and weight constraints, WMSs are also constrained regarding battery lifetime, available memory, and computational power. In this context, IEEE 802.15.4 and ZigBee are two key standards due to their low energy, memory, and computational requirements, fitting low rate wireless personal area network (PAN) or BSN applications.
Due to the restricted radio range of the WMSs which form a BSN, the WMSs need to rely on a gateway device to ensure persistent connectivity to remote back-end healthcare services that manage, store and give access to the patient's medical data. Communication between gateways and healthcare services may be achieved by wireless means for mobile BSNs, or wired means for applications in a restricted, closed environment, e.g., a hospital. Well known technologies such as WLAN, GSM, UMTS or Ethernet are used for these purposes. The back-end healthcare services may be of a centralized nature, e.g., the healthcare provider service, the personal healthcare record service, or the healthcare security service. However, these healthcare services might also be distributed among various healthcare institutions or insurance companies.
The technical features of the WMSs used in medical applications as well as the operational requirements of MSNs impose novel challenges to the definition of a security system, especially when compared with traditional computer networks or static stand-alone wireless sensor networks.
Firstly, WMSs are resource constrained devices. For instance, the MICAz platform has been used by many research institutions in the design of WMSs. MICAz is outfitted with a program flash memory of 128 Kbytes, a RAM of 4 Kbytes. The radio chip, the CC2420, implements AES in hardware and communicates at 250 kbps, The CPU runs at a clock frequency of 8 MHz and lacks division operation. Therefore, security solutions must be energy-efficient, minimize memory requirements, especially RAM, and consume a negligible amount of computational and communication resources to avoid DoS (Denial of Service) attacks.
Another aspect imposing requirements on medical applications concerns the maximum allowed latency on the transmission of medical information as well as BSN setup time. For instance, ECG requires a maximum latency of 250 msec, and network setup must be carried out in less than 1 second. Therefore, execution time of security procedures must be minimized in order to not restrict everyday's normal operation, e.g., during the ward rounds of a doctor, and to prevent attackers from launching DoS attacks.
Additionally, the security system must be scalable at both the MSNs and the WSN level. On the one hand, the pervasive healthcare architecture must enable adding and integrating new MSNs, e.g., in a new retirement home, in the pervasive healthcare system. On the other hand, a stand-alone MSN can comprise thousands of WMSs, e.g., in a hospital. Hence, security services, as well as their provisioning, must be scalable on both of these levels to enable a truly ubiquitous and secure healthcare system for large numbers of MSNs and patients.
Mobility of WMSs with and between users of an MSN imposes additional requirements on the BSN association and configuration as well as on the key distribution approaches. Firstly, BSN association, which can take place very frequently, must be unobtrusive, automatic, palpable, secure, and transparent for the medical staff, to avoid distraction from patient care. Each BSN can be considered as a dynamic independent security domain within an MSN where WMSs can join and leave at any time, e.g., a new WMS of a hospital's MSN may be attached to a patient, and associated with his BSN. On the other hand, mobility of patients and caregivers makes an MSNs topology dynamic and leads to network segmentation and network mergers. For instance, patients' BSNs in a hospital setting may be disconnected from the hospital's MSN and infrastructure, e.g., when taking a walk in the hospital's garden. Situations such as medical emergencies may require immediate treatment by a doctor. Thus, any doctor must be able to establish secure communication in an ad hoc manner and to monitor the patient's vital signs in a secure manner keeping from using some key-distribution protocols.
Finally, the healthcare system should allow for unique identification of users and BSNs in different MSNs in order to unambiguously link users' EHI which may be generated in different MSNs by different WMSs.
Security Challenges
There are three main security challenges that need to be addressed to define a comprehensive security system: key distribution in pervasive MSNs, secure BSN association, and unambiguous and unique user identification.
KEY DISTRIBUTION is the security cornerstone of both stand-alone MSNs and interconnected MSNs, as this defines how WMSs receive and handle the cryptographic keys used to enable the most basic security requirements, such as confidentiality and authentication both intra- and inter-MSNs. There are a variety of very different key distribution techniques based on public key, centralized (online) trust centers or key sharing. In general, the feasibility of one approach or another depends on the operational requirements and technical restrictions of each specific medical setting. For instance, symmetric cryptographic keys can be preconfigured on the WMSs belonging to a static BSN in a small MSN. However, this configuration is impossible in highly dynamic environments, e.g., hospitals, due to node mobility, where BSN membership is unpredictable. Performing computationally complex operations increases battery drain and communications delay and may render communication protocols susceptible to DoS attacks that could possibly block required processing of medical data. The most efficient implementations of public-key systems based on elliptic curve cryptography still require 0.81 sec. for a single point multiplication, i.e., the basic operation for establishing a common key. This fact makes these key establishment protocols prone to resource exhaustion attacks targeting computational and energy resources. Thus, the use of public key cryptography in MSNs should be minimized as far as possible. Key establishment based on an online trust center (TC) relies on the TC to distribute keys to WMSs, e.g., ZigBee. This approach features the single point of failure nature of the TC and the increased traffic load for nodes on the path to the TC that drains these nodes' batteries. DoS attacks and packet collisions might also prevent WMSs from succeeding in the initial key agreement handshake, and thus, keeping them from transmitting medical data. Additionally, connectivity to a TC cannot be guaranteed in many situations, such as medical emergencies and disaster response. For these reasons, computationally inexpensive symmetric key cryptography solutions that enable direct key agreement, such as hash functions or polynomials, are the preferable option in stand-alone MSNs.
SECURE BSN ASSOCIATION refers to the formation of a BSN and how the WMSs of a BSN are identified and associated with a particular user. In static scenarios, in which only fixed sets of wireless sensors are communicating, the BSN association is carried out only once by means of a simple pairing procedure. However, in more complex settings, such as in retirement homes or hospitals, where a user's BSN may consist of arbitrary sets of WMSs taken from the MSN's WMS pool, WMSs must be associated in a secure manner to a patient. Within the security domain of an MSN, a BSN must be understood as a completely independent security sub-domain wherein the security relationships are handled in an autonomous manner.
The problem of BSN association has recently been addressed in different ways. Baldus et al., “Reliable Set-Up of Medical Body-Sensor Networks”, EWSN 2004, used a setup pen to distribute the BSN identifier to medical nodes via infrared. The BLIG approach (J. Andersen, and J. E. Bardram. “BLIG: A New Approach for Sensor Identification, Grouping and Authorization in Body Sensor Networks”. 4th Int. Workshop on Wearable and Implantable Body Sensor Networks, (BSN 2007), Mar. 26-28, 2007, Aachen, Germany.) makes use of a special node attached to the body. The other nodes receive the user identifier when they are brought close to it by means of a short-range communication technology. Falck et al. “Plug 'n Play Simplicity for Wireless Medical Body Sensors,” Pervasive Health Conference and Workshops, 2006, vol., no., pp. 1-5, Nov. 29 2006-Dec. 1 2006, propose the use of body-coupled communication (BCC) technology to distribute the user and BSN ID. In this approach, each patient carries an identification token that automatically distributes the patient's ID, and other configuration information, to WMSs attached to the patient's body by means of BCC. Therefore, this approach does not require clinician intervention during the BSN setup. However, secure BSN association protocols are needed as these approaches do not support basic security services nor do they allow for transforming a BSN into an independent security domain.
Unambiguous and unique user identification refers to the fact that an individual can be attended in different MSNs with different medical equipment as described previously. Measured medical information must be linked in an automatic manner to a master patient identifier recognized in the whole healthcare system in order to enable interoperability between independent pervasive MSNs. These identifiers should be regulated in order to ensure interoperability between different administrative and healthcare institutions. Dynamic session identifiers might be used to ensure patient's privacy and to identify a patient in a different way depending on the context.
An integrated solution for all three of the requirements described above enables the deployment of secure BSNs and MSNs as well as end-to-end security between WMSs and back-end healthcare services. The design of such a system is challenging and complex, as users might move across different MSN organizations and in some applications users' BSNs can comprise sub-sets of WMSs arbitrarily picked up from the MSN's pool of WMSs.
Additional Security Requirements
In addition to the main security issue aiming at ensuring the secure configuration of the system, additional security services are necessary. Note that the provision of many of these traditional security services is based on cryptographic keys and identifiers. We will provide an overview of them shortly.    a) Privacy and confidentiality refers to the protection of data, identity, and context information to prevent attackers from eavesdropping on communication. For instance, data confidentiality is achieved by means of encryption algorithms such as the Advance Encryption Standard (AES).    b) Data integrity refers to the protection of data from unauthorized manipulation by means of, e.g., a message authentication code.    c) Identification and authentication addresses the techniques used to ensure validation of different medical events, user identities, and exchanged data. Identifiers should be regulated and standardized in order to ensure interoperability and unambiguous identification as required by HIPAA. Identities should be linked to some cryptographic keying material in order to ensure authentication.    d) Auditing refers to the techniques used to log all data accesses and it is required to fulfill the HIPAA requirements on accountability and provide a traceable record in case of misuse.    e) Access control techniques are necessary to authorize access to patient's EHI and BSN. In addition, access control policies are to be defined addressing issues such as access control priorities and delegation as defined in R. J. Anderson, “A security policy model for clinical information systems,” sp, p. 0030, 1996 IEEE Symposium on Security and Privacy, 1996; and K. Sohr, M. Drouineaud, G. Ahn. “Formal specification of role-based security policies for clinical information systems” ACM Symposium on Applied Computing, 2005, Santa Fe, N. Mex., Mar. 13-17, 2005.
Security and privacy is essential in the medical domain in order to fulfil legal requirements such as HIPAA in USA or the European Directive 95/46 on data protection in Europe. In this context, end-to-end security between medical sensor nodes (or devices) and back-end healthcare services in hospitals is a problem of paramount importance that is currently unsolved. End-to-end security must be independent from the set of sensor nodes used to monitor a patient, and independent from the healthcare service used during the care cycle. This requirement includes (i) the secure association of body sensor network s, (ii) the secure storage of medical related information in the body sensor network, (iii) the unambiguous, but at the same time privacy-aware identification of patients in the whole system, and (iv) the secure transmission of patient information between sensor nodes and healthcare services.
Related known prior art technologies do not solve these problems:
US Patent Application 2007/0043594 describes an electronic healthcare delivery system comprising: (i) a NFC (near field communications) controller chip; (ii) a smart card controller chip; (iii) a wireless peer-to-peer communication protocol; etc. Although the goal of this system is to enable pervasive healthcare, there are some basic differences and shortcomings within this prior art. First, it must be pointed out that this system relies upon NFC technology. Importantly, this patent application does not address security issues, e.g., key distribution, body sensor network association, end-to-end security in pervasive healthcare at all. Likewise, this patent application does not disclose wireless sensor networks and body sensor networks at all.
DE 20008602 U discloses a system in which patient's vital signs, measured by a set of ECG sensors carried by a patient, are linked to the patient's identity. The patent application discloses a card reader to enable patient identification. However, this system fails to disclose end-to-end security and secure body sensor network association.
US 2005/10245995 A1 discloses a data transmission unit for wireless communication with an electromedical implant and a data acquisition and evaluation center. This system fails to disclose an end-to-end security protocol from medical sensor networks including key distribution in body sensor networks, body sensor network association, body sensor network identification and end-to-end security.
US 2003/10229518 A1 discloses a method for recording of patient actions. The system provides a medical equipment to identify a patient so that the data obtained during the use of the medical equipment is attributed to the patient. This system fails to disclose a system for identifying body sensor networks and enabling end-to-end security from body sensor networks to back-end medical systems.
U.S. Pat. No. 6,564,056 B1 describes a controller that administers the devices that are registered to the controller. Each device is registered to the controller by inserting a memory into the controller's card reader. Communications between the controller and devices are secured by using the devices' identifiers as encryption keys. This application fails to disclose a card reader that identifies and registers body sensor network devices, but identifies the body sensor network user.
US 200210188473 describes a system that includes patient identification and allows the user to have access to the patient's medical history. The system is based on a smart card. This system fails to address wireless sensor networks and body sensor networks, body sensor network identification, sensor node identification, secure body sensor network association, and end-to-end security between sensor nodes and medical back-end systems.
WO2007/149850 A2 describes a key distribution method that allows any pair of devices in a hospital to agree on a common key in a distributed manner. In this manner, this patent application guarantees basic security services between sensor nodes or between a sensor node and a bedside monitor. However, the important security gap of end-to-end security is still unresolved.
WO2008/014432 A2 describes a method to enable patient identification based on body coupled communications (BCC). In this patent application, every patient carries a body-coupled communications tag. When a patient wants to make use of a specific medical device or the like, the medical device communicates with the body-coupled communications tag by means of body coupled communications to receive the patient ID. In this manner the medical device can make use of the patient's identification information to personalize its measurements or to attach the patient's identification to the measured vital signs before forwarding them to a doctor. Although this approach allows for the identification of patients in a very simple manner, security threats to the system are not taken into account. For instance, an intruder, Bob, might steal Alice's tag and read out Alice's identification information. Afterwards, Bob might impersonate Alice or even get access to Alice's personal medical information. This application addresses the problem of end-to-end security between body sensor network nodes and back-end healthcare services. To this end, this application solves the following security issues:
1. Secure setup of a body sensor network—in the sense that all the communications between all the devices in a body sensor network are secure with respect to authentication and confidentiality;
2. Unambiguous identification of patient—in the sense that a patient is unambiguously identified in the whole system including body sensor networks, back-end security services, etc; and
3. Secure storage of medical related information, so that only authorized personal can have access to it.